System Safeguards Testing Requirements

The Commodity Futures Trading Commission (``Commission'' or ``CFTC'') is adopting final rules amending its current system safeguards rules for designated contract markets, swap execution facilities, and swap data repositories, by enhancing and clarifying current provisions relating to system safeguards risk analysis and oversight and cybersecurity testing, and adding new provisions concerning certain aspects of cybersecurity testing. The final rules clarify the Commission's current system safeguards rules for all designated contract markets, swap execution facilities, and swap data repositories by specifying and defining the types of cybersecurity testing essential to fulfilling system safeguards testing obligations. These testing types are vulnerability testing, penetration testing, controls testing, security incident response plan testing, and enterprise technology risk assessment. The final rules also clarify current rule provisions respecting: The categories of risk analysis and oversight that statutorily-required programs of system safeguards- related risk analysis and oversight must address; system safeguards- related books and records obligations; the scope of system safeguards testing; internal reporting and review of testing results; and remediation of vulnerabilities and deficiencies. In addition, the final rules adopt new provisions set forth in the Commission's Notice of Proposed Rulemaking, applicable to covered designated contract markets (as defined) and all swap data repositories, establishing minimum frequency requirements for conducting certain types of cybersecurity testing, and requiring performance of certain tests by independent contractors.